Appeal filed: EuGD obtains review of GDPR damages by the German Federal Court of Justice
Munich, April 19, 2021. A consumer supported by EuGD Europäische Gesellschaft für Datenschutz mbH has achieved a landmark partial legal success before the Stuttgart Higher Regional Court. In the proceedings against Mastercard due to a data leak in the bonus program „Priceless Specials“ in August 2019, the court has dismissed the claim for damages of a woman from the Stuttgart area in the appeal instance, but the judges have expressly allowed an appeal to the Federal Court of Justice. The appeal against the ruling of March 31, 2021 (case number: 9 U 34/21) was filed on April 7 (VI ZR 111/21). As a result, Germany’s highest civil court will now decide under what conditions those affected by data leaks can assert claims for damages against companies on the basis of the General Data Protection Regulation (GDPR).
„We remain convinced that people affected by data leaks are entitled to damages if companies have violated the GDPR. According to the will of the European legislator, such claims for damages – in addition to the fines in the millions threatened by the GDPR and in some cases also imposed – play a central role in achieving the goal of effective data protection in the EU. In the present case, we consider such a violation to have occurred. In this respect, we are confident for the proceedings at the Federal Court of Justice,“ says Thomas Bindl, founder of EuGD, about the ruling and adds. „We would also like to take this opportunity to expressly thank the law firms Raimer and Spirit Legal for their great and valuable pioneering work. They are significantly advancing the development of the law in this important area and helping affected parties in a ‚David versus Goliath‘ battle.“
Appeal to clarify „widely varying case law“
The OLG Senate justified the admission of the appeal to the Federal Court of Justice on the grounds of the fundamental importance of the Mastercard proceedings at hand. Thus, it is only a matter of time until the highest court will deal with the requirements of Article 82 of the GDPR. „Of course, we cannot be satisfied with the ruling, but explicitly welcome the admission of the appeal. The fundamental clarification of issues relevant to the decision is urgently needed – also with regard to other current cases of data theft – as the previous, highly varying case law shows,“ comments attorney Daniel Raimer, who represents the plaintiff in the proceedings. „It is an important signal that three years after the GDPR came into effect, the Federal Court of Justice now deals with fundamental issues such as the right to information and the right to damages under the rules of the GDPR. In the end, however, only the European Court of Justice can provide final clarity on the interpretation of the regulation,“ adds Dr. Diana Ettig, litigator at Spirit Legal.
EuGD assumes that other German courts dealing with similar lawsuits will also follow the Stuttgart judges‘ decision and wait until this fundamental issue is decided by the Federal Court of Justice. After the Federal Constitutional Court had already urged a referral to the European Court of Justice regarding the interpretation of Article 82 of the GDPR in January, the Higher Regional Court has now cleared the way for a supreme court clarification. In the further proceedings, EuGD will continue to advocate that the rights granted to data subjects by the GDPR not only exist on paper, but can also be enforced.
For the plaintiff, as for all data subjects who have registered with EuGD.org, there is no financial risk at the Federal Court of Justice.
Sensitive data of 90,000 German customers published
In total, around 90,000 German customers of the Mastercard bonus program „Priceless Specials“ were affected by the data leak. Among other things, sensitive personal data such as names, e-mail addresses, card numbers, date of birth and, in some cases, addresses and telephone numbers were published on the Internet. In addition to compensation for material damage, European data protection law also expressly provides for compensation of non-material damage in the event of data protection infringements (Art. 82 GDPR).
EuGD Europäische Gesellschaft für Datenschutz mbH (EuGD), founded in February 2019, operates the online portal of the same name, EuGD.org, which supports consumers in enforcing legal claims arising from breaches of the General Data Protection Regulation (GDPR). The Munich-based company is already helping several thousand consumers to claim damages without incurring any costs of their own. Currently, with EuGD’s support, more than a dozen legal proceedings are underway in Germany against companies such as Amazon, Marriott and Mastercard before regional and higher regional courts and the Federal Court of Justice.
Dr. Diana Ettig (Spirit Legal)